What do businesses need to know to prepare?
On 29 November 2024, the Cyber Security Act 2024 (Cth) (Act) was introduced into Australian law. Importantly, Part 3 of the Act introduces ransomware reporting obligations that require “reporting business entities” to provide a ransomware payment report to the Department of Home Affairs (Department) and the Australian Signals Directorate (ASD). The reporting obligations, which commence on 29 May 2025, will assist the Australian government to get a better picture of the cyber extortion landscape in order to upset the ransomware business model, which has been successful to date.
A high-level overview of the reporting obligations is provided below.
Which entities are required to report cyber incident payments?
An entity will be a “reporting business entity” (and required to make a report) if it:
- has an annual turnover that exceeds the turnover threshold specified in the Rules; and
- is not a Commonwealth or State body.
Under the Act, the Minister has a power to make Rules to prescribe the annual turnover threshold for a business to be captured by the ransomware reporting obligations. The draft Rules, which were released for public consultation, propose that the annual turnover threshold be $3 million (which aligns with the annual turnover threshold for complying with the Privacy Act 1988 (Cth), which is also $3 million).[1] The draft Rules also provide that if a business has been carried on for only part of the previous financial year, the business may still be captured by the ransomware reporting obligations.[2]
Responsible entities for critical infrastructure assets, which have cyber security incident notification obligations under Part 2B of the Security of Critical Infrastructure Act 2018, are also reporting business entities.
What incidents trigger the reporting requirement?
A reporting business entity must make a report within 72 hours of making the ransomware payment (or becoming aware that the ransomware payment was made). It is likely that a report will be required in circumstances where:
- a cyber security incident has occurred, is occurring, or is imminent (such as a ransomware attack or the exfiltration of data by a threat actor);
- that incident has had, is having or could be expected to have a direct or indirect impact on the reporting business entity;
- a demand has been made on the reporting business entity (or any other entity) by an extorting entity which hopes to benefit from the incident (or its impact) on the reporting business entity; and
-
a reporting business entity has provided a payment (or benefit) to an extorting entity (or is aware that another entity has provided the payment or benefit on its behalf).[3]
How will payments be reported?
Reports will be made on a portal being developed on the ASD’s cyber.gov.au website.
Reporting business entities will be required to report the following (to the extent that this is known):
- the contact details of the entity making the payment;
- a description of the cyber security incident and its impact on the reporting business entity;
- description of the extorting entity’s demand;
- details of the ransomware payment (or benefit); and
- communications with the extorting entity concerning: (a) the incident; (b) the demand; and (c) the payment.
Failure to Comply with Ransomware Reporting Obligations
Under the Act, the Department may take enforcement action against entities who fail to comply with the ransomware reporting obligations[[4]. A civil penalty of 60 penalty units (currently $19,800) can apply if a reporting business entity fails to make a mandatory report in the required circumstances.
The Department has stated that it will initially have an education first approach to regulation[5] and will prioritise warnings, before seeking civil penalties, particularly in respect of smaller businesses.
What should businesses do?
Businesses should ensure that their data breach and incident response plans are up-to-date and make reference to this new reporting obligation.
Should a ransomware or cyber incident occur, businesses must also consider their obligations under the Privacy Act and whether the incident is a “notifiable data breach” which must be notified to the Office of the Australian Information Commissioner and those individuals whose personal information has been impacted.
Should businesses suffer a cyber incident and/or receive a demand, it is important to act promptly which, in addition to activating their data breach and incident response plans, may also involve engaging cyber security experts, their lawyers and a crisis communications team.
It is important that businesses are prepared and on the front foot should an incident occur!
For further information, please contact our Privacy & Data Protection team.
1 Cyber Security Legislative Reforms – Explanatory Document Cyber Security (Ransomware Reporting) Rules
2 In the Rules, this formula includes the figure ‘$3 million’ multiplied by the number of days in the part, divided by the number of days in the previous financial year.
3 This includes circumstances where an entity engages a third-party service provider to negotiate and provide a payment or benefit to the extorting entity on its behalf.
4 There is a 6-month implementation period for the ransomware reporting obligations to come into effect unless the Minister provides a date prior to 29 May 2025.
5 Factsheet – Ransomware Reporting, available on www.homeaffairs.gov.au.